Luckystrike: An Malicious Office Document Generator!

Close on the heels of my earlier post about MicroSploit, the Microsoft Office Exploitation Toolkit, that was on the *NIX platform, this post is about Luckystrike, a malicious Microsoft Office malicious document generator on Microsoft’s very own Windows platform.

Luckystrike – Malicious Office Document Generator

What is Luckystrike?

Luckystrike is an open source script that helps you create malicious Microsoft Office documents using PowerShell’s ability to interface with COM objects. As of now, it only supports malicious Excel file (.xls) – 97-2003 format creation. The main focus is on getting your payloads through while evading anti-viruses.

The author is working on adding support for Microsoft Word files. Luckystrike was designed to be flexible and be easy to operate for inexperienced users as well. The script also auto-updates itself.

At the backend, we have a SQLite database providing a self-contained and persistent way to retrieve and embed them into documents with ease. It also stores code blocks, dependency rules, and infection methods. It can be easily shared between your team members whenever required. You can embed standard shell commands, custom PowerShell scripts, or even executable files (.exe) as payloads. These payloads are then stored in the SQLite database file that can be used repeatedly. If you want to be really sure that your code executes, you can infect a document with multiple payloads of different infection types too! The problem that I faced when trying to use this script was that on installation, my AV caught the file as malicious. After adding it to exclusions, I was able to execute it. The first time thought I was a bit confused reading about 5 options – catalog, payload, template and infection type. This explains what all these mean:

Payload – A command, PowerShell script, or executable to be executed on the target machine.

Catalog – A SQLite database containing saved payloads.

Infection Type – The means by which to launch a payload on a target system.

Template – A .xls file that is saved in the database to be used for generating a new, infected file.

Currently supported infection types are:

Shell Command – Uses Wscript.Shell to fire the command exactly as is in a hidden window. Be sure your escapes are correct.

Metadata – Saves your shell command to the `Subject` field of the metadata. Good for empire stagers! Unfortunately, you can include only one metadata at a time.

All in all, this looks like a good start. Can’t wait for future releases as this tool looks promising!

Install Luckystrike:

The installation script takes care of everything for you. All you need is a Microsoft Windows system with PowerShell v5 and the PSSQLite module. Even if it does not exist, the script takes care of it. All you need to do is run the following command from an elevated PowerShell prompt:

Featured Post

Kali Linux 2019.1 is the latest Kali Linux release. This is the first 2019 release, which comes after Kali Linux 2018.4, that was made available in the month of October. This new release includes all patches, fixes, updates, and improvements since the last release – Kali Linux 2018.3, including a shiny new Linux kernel versionRead more about UPDATE: Kali Linux 2019.1 Release!